package org.apache.qpid.server.security.auth.manager.oauth2.google;

import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.google.common.collect.Sets;
import java.io.IOException;
import java.io.InputStream;
import java.net.HttpURLConnection;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.Principal;
import java.util.Map;
import org.apache.qpid.server.configuration.IllegalConfigurationException;
import org.apache.qpid.server.model.TrustStore;
import org.apache.qpid.server.plugin.PluggableService;
import org.apache.qpid.server.security.auth.UsernamePrincipal;
import org.apache.qpid.server.security.auth.manager.oauth2.IdentityResolverException;
import org.apache.qpid.server.security.auth.manager.oauth2.OAuth2AuthenticationProvider;
import org.apache.qpid.server.security.auth.manager.oauth2.OAuth2IdentityResolverService;
import org.apache.qpid.server.security.auth.manager.oauth2.OAuth2Utils;
import org.apache.qpid.server.util.ConnectionBuilder;
import org.apache.qpid.server.util.ServerScopedRuntimeException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@PluggableService
/* loaded from: input_file:org/apache/qpid/server/security/auth/manager/oauth2/google/GoogleOAuth2IdentityResolverService.class */
public class GoogleOAuth2IdentityResolverService implements OAuth2IdentityResolverService {
    private static final Logger LOGGER = LoggerFactory.getLogger(GoogleOAuth2IdentityResolverService.class);
    private static final String UTF8 = StandardCharsets.UTF_8.name();
    public static final String TYPE = "GoogleUserInfo";
    private final ObjectMapper _objectMapper = new ObjectMapper();

    @Override // org.apache.qpid.server.plugin.Pluggable
    public String getType() {
        return TYPE;
    }

    @Override // org.apache.qpid.server.security.auth.manager.oauth2.OAuth2IdentityResolverService
    public void validate(OAuth2AuthenticationProvider<?> oAuth2AuthenticationProvider) throws IllegalConfigurationException {
        if (!Sets.newHashSet(oAuth2AuthenticationProvider.getScope().split("\\s")).contains("profile")) {
            throw new IllegalConfigurationException("This identity resolver requires that scope 'profile' is included in the authentication request.");
        }
    }

    @Override // org.apache.qpid.server.security.auth.manager.oauth2.OAuth2IdentityResolverService
    public Principal getUserPrincipal(OAuth2AuthenticationProvider<?> oAuth2AuthenticationProvider, String str) throws IOException, IdentityResolverException {
        URL url = oAuth2AuthenticationProvider.getIdentityResolverEndpointURI().toURL();
        TrustStore trustStore = oAuth2AuthenticationProvider.getTrustStore();
        ConnectionBuilder connectionBuilder = new ConnectionBuilder(url);
        connectionBuilder.setConnectTimeout(oAuth2AuthenticationProvider.getConnectTimeout()).setReadTimeout(oAuth2AuthenticationProvider.getReadTimeout());
        if (trustStore != null) {
            try {
                connectionBuilder.setTrustMangers(trustStore.getTrustManagers());
            } catch (GeneralSecurityException e) {
                throw new ServerScopedRuntimeException("Cannot initialise TLS", e);
            }
        }
        connectionBuilder.setTlsProtocolWhiteList(oAuth2AuthenticationProvider.getTlsProtocolWhiteList()).setTlsProtocolBlackList(oAuth2AuthenticationProvider.getTlsProtocolBlackList()).setTlsCipherSuiteWhiteList(oAuth2AuthenticationProvider.getTlsCipherSuiteWhiteList()).setTlsCipherSuiteBlackList(oAuth2AuthenticationProvider.getTlsCipherSuiteBlackList());
        LOGGER.debug("About to call identity service '{}'", url);
        HttpURLConnection build = connectionBuilder.build();
        build.setRequestProperty("Accept-Charset", UTF8);
        build.setRequestProperty("Accept", "application/json");
        build.setRequestProperty("Authorization", "Bearer " + str);
        build.connect();
        InputStream responseStream = OAuth2Utils.getResponseStream(build);
        Throwable th = null;
        try {
            int responseCode = build.getResponseCode();
            LOGGER.debug("Call to identity service '{}' complete, response code : {}", url, Integer.valueOf(responseCode));
            try {
                Map map = (Map) this._objectMapper.readValue(responseStream, Map.class);
                if (responseCode != 200) {
                    throw new IdentityResolverException(String.format("Identity resolver '%s' failed, response code %d", url, Integer.valueOf(responseCode)));
                }
                String str2 = (String) map.get("sub");
                if (str2 == null) {
                    throw new IdentityResolverException(String.format("Identity resolver '%s' failed, response did not include 'sub'", url));
                }
                UsernamePrincipal usernamePrincipal = new UsernamePrincipal(str2, oAuth2AuthenticationProvider);
                if (responseStream != null) {
                    if (0 != 0) {
                        try {
                            responseStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        responseStream.close();
                    }
                }
                return usernamePrincipal;
            } catch (JsonProcessingException e2) {
                throw new IOException(String.format("Identity resolver '%s' did not return json", url), e2);
            }
        } catch (Throwable th3) {
            if (responseStream != null) {
                if (0 != 0) {
                    try {
                        responseStream.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    responseStream.close();
                }
            }
            throw th3;
        }
    }

    @Override // org.apache.qpid.server.security.auth.manager.oauth2.OAuth2IdentityResolverService
    public URI getDefaultAuthorizationEndpointURI(OAuth2AuthenticationProvider<?> oAuth2AuthenticationProvider) {
        try {
            return new URI("https://accounts.google.com/o/oauth2/v2/auth");
        } catch (URISyntaxException e) {
            return null;
        }
    }

    @Override // org.apache.qpid.server.security.auth.manager.oauth2.OAuth2IdentityResolverService
    public URI getDefaultTokenEndpointURI(OAuth2AuthenticationProvider<?> oAuth2AuthenticationProvider) {
        try {
            return new URI("https://www.googleapis.com/oauth2/v4/token");
        } catch (URISyntaxException e) {
            return null;
        }
    }

    @Override // org.apache.qpid.server.security.auth.manager.oauth2.OAuth2IdentityResolverService
    public URI getDefaultIdentityResolverEndpointURI(OAuth2AuthenticationProvider<?> oAuth2AuthenticationProvider) {
        try {
            return new URI("https://www.googleapis.com/oauth2/v3/userinfo");
        } catch (URISyntaxException e) {
            return null;
        }
    }

    @Override // org.apache.qpid.server.security.auth.manager.oauth2.OAuth2IdentityResolverService
    public String getDefaultScope(OAuth2AuthenticationProvider<?> oAuth2AuthenticationProvider) {
        return "profile";
    }
}
